1992919 - Hit MOZ_CRASH(assertion failed: datagram_size <= max_datagram_size) at /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/connection/mod.rs:2612

Status: RESOLVED FIXED

(Core :: Networking: HTTP, defect, P2)

Description

[Tyson Smith [:tsmith]]

Found with m-c 20251006-b4f1173ee49f (--enable-debug)

This was found by visiting a live website with a debug build.

STR:

• Launch browser and visit site

This issue was triggered by visiting http://songmicshome.co.uk/.

Hit MOZ_CRASH(assertion failed: datagram_size <= max_datagram_size) at /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/connection/mod.rs:2612

7|0|libxul.so|RustMozCrash|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/wrappers.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|18|0x2a
7|1|libxul.so|mozglue_static::panic_hook|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/lib.rs:b4f1173ee49fbd156602c11177de3f333a33911b|99|0xef
7|2|libxul.so|core::ops::function::Fn::call|/builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs|79|0xb
7|3|libxul.so|std::panicking::rust_panic_with_hook|git:github.com/rust-lang/rust:library/std/src/panicking.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|839|0x16f
7|4|libxul.so|std::panicking::begin_panic_handler::{{closure}}|git:github.com/rust-lang/rust:library/std/src/panicking.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|697|0x65
7|5|libxul.so|std::sys::backtrace::__rust_end_short_backtrace|git:github.com/rust-lang/rust:library/std/src/sys/backtrace.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|168|0x8
7|6|libxul.so|rust_begin_unwind|git:github.com/rust-lang/rust:library/std/src/panicking.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|695|0x1c
7|7|libxul.so|core::panicking::panic_fmt|git:github.com/rust-lang/rust:library/core/src/panicking.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|75|0x1f
7|8|libxul.so|core::panicking::panic|git:github.com/rust-lang/rust:library/core/src/panicking.rs:05f9846f893b09a1be1fc8560e33fc3c815cfecb|145|0x3b
7|9|libxul.so|neqo_transport::connection::Connection::output_dgram_batch_on_path|hg:hg.mozilla.org/mozilla-central:third_party/rust/neqo-transport/src/connection/mod.rs:b4f1173ee49fbd156602c11177de3f333a33911b|2612|0x9ca
7|10|libxul.so|neqo_transport::connection::Connection::process_multiple_output|hg:hg.mozilla.org/mozilla-central:third_party/rust/neqo-transport/src/connection/mod.rs:b4f1173ee49fbd156602c11177de3f333a33911b|1213|0x2072
7|11|libxul.so|neqo_http3::connection_client::Http3Client::process_multiple_output|hg:hg.mozilla.org/mozilla-central:third_party/rust/neqo-http3/src/connection_client.rs:b4f1173ee49fbd156602c11177de3f333a33911b|1042|0xed
7|12|libxul.so|neqo_http3conn_process_output_and_send|hg:hg.mozilla.org/mozilla-central:netwerk/socket/neqo_glue/src/lib.rs:b4f1173ee49fbd156602c11177de3f333a33911b|1015|0x11d
7|13|libxul.so|mozilla::net::Http3Session::ProcessOutput(nsIUDPSocket*)|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/Http3Session.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1139|0x143
7|14|libxul.so|mozilla::net::Http3Session::SendData(nsIUDPSocket*)|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/Http3Session.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1837|0x1cd
7|15|libxul.so|mozilla::net::Http3Session::ProcessOutputAndEvents(nsIUDPSocket*)|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/Http3Session.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1185|0xb2
7|16|libxul.so|mozilla::net::HttpConnectionUDP::OnQuicTimeoutExpired()|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/HttpConnectionUDP.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|960|0x46
7|17|libxul.so|mozilla::net::Http3Session::OnQuicTimeout::Notify(nsITimer*)|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/Http3Session.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1201|0x11
7|18|libxul.so|nsTimerImpl::Fire(unsigned long)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsTimerImpl.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|744|0x211
7|19|libxul.so|nsTimerEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TimerThread.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|561|0x3ff
7|20|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1151|0x77c
7|21|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|462|0x4f
7|22|libxul.so|mozilla::net::nsSocketTransportService::Run()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsSocketTransportService2.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1213|0x3d4
7|23|libxul.so|{virtual override thunk({offset(-32)}, mozilla::net::nsSocketTransportService::Run())}|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsSocketTransportService2.cpp:b4f1173ee49fbd156602c11177de3f333a33911b||0xc
7|24|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|1151|0x77c
7|25|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|462|0x4f
7|26|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|299|0xc6
7|27|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b4f1173ee49fbd156602c11177de3f333a33911b|343|0x61
7|28|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|366|0x1be
7|29|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:b4f1173ee49fbd156602c11177de3f333a33911b|191|0x18f
7|30|firefox-bin|set_alt_signal_stack_and_start(PthreadCreateParams*)|hg:hg.mozilla.org/mozilla-central:mozglue/interposers/pthread_create_interposer.cpp:b4f1173ee49fbd156602c11177de3f333a33911b|81|0x10c

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/0ZoFi49l-YO09NPbdjxWVw/index.html

Comment 2

[Kershaw Chang [:kershaw]]

Max, could you take a look? Thanks.

Comment 3

[Max Inden]

Very helpful. Thanks Tyson.

Documenting what I found thus far:

• Panic happening while building second GSO segment.
• First segment is 1252, second is 1253, i.e. one byte too large
• One overflowing byte is added in builder.encode_varint(FrameType::Ping);

Comment 4

[Max Inden]

Got a good understanding of the bug now. Tracked upstream in https://github.com/mozilla/neqo/issues/3046.

Comment 5

[Max Inden]

First off, this has been very helpful. Thank you Tyson for the report, especially with the Pernosco session and thanks Manuel for the Pernosco help. I doubt we would have found this without.

https://github.com/mozilla/neqo/pull/3069 fixes the issue. It is part of Neqo v0.18.0 which just landed in Firefox Nightly.

Tyson, is there any way you can trigger the above execution again to validate whether this is fully resolved?

Comment 6

[Tyson Smith [:tsmith]]

(In reply to Max Inden from comment #5)

First off, this has been very helpful. Thank you Tyson for the report, especially with the Pernosco session and thanks Manuel for the Pernosco help. I doubt we would have found this without.

That is good to know, thanks!

Tyson, is there any way you can trigger the above execution again to validate whether this is fully resolved?

I can no longer reproduce the issue and it is no longer being reported by live site testing, I'll make it fixed. Thank you.